Massive 3.7 Million Record Healthcare Cyberattack Discovered

A massive data breach has been reported by a Phoenix AZ-based healthcare organization that has potentially impacted 3.7 million individuals. The attack is the second largest cyberattack reported so far in 2016, second only to last month’s 9.3 million record breach on an as of yet unconfirmed health insurer.

Early reports of the attack on Banner Health indicate that healthcare records were not the primary target. The attack appears to have been conducted to obtain credit card details. The attackers first targeted a system used to process credit card payments for food and beverage purchases. Access to the system first occurred on June 17; however, once access had been gained to the payment system, the malicious actors moved laterally within the network and gained access to servers used to store patient data.

POS attacks are common in the retail sector, yet the attack shows how security vulnerabilities of all types can be exploited and how they can serve as a launchpad for attacks on other parts of a healthcare network.

The attack affects a number of Banner Health locations in Alaska, Arizona, California, Colorado, Nebraska, Nevada and Wyoming. According to a breach notice issued by Banner Health, the attack was discovered on July 7, 2016 after unusual activity was detected on the healthcare provider’s network.

The investigation into the security breach revealed on July 13 that the breach affected patients, health plan members, and food service customers.  Banner Health discovered that the ePHI of patients may also have been compromised in the attack. Initially, on or around June 23, credit card information – cardholder names, numbers, expiry dates, and CCC codes – were determined to have been accessed. However, it soon became apparent that further data had potentially been compromised. Patients’ names, addresses, dates of birth, dates of service, referring physicians’ names, claims data, Social Security numbers, and health insurance information were also potentially accessed by the attackers.

The cyberattack shows just how important it is to conduct a comprehensive risk analysis on all IT systems, even those that do not contain ePHI. The entire network must be assessed for security vulnerabilities even if ePHI is not believed to be at immediate risk of compromise. Cyberattacks are becoming more sophisticated and once network access is gained, attackers may be able to move laterally within a computer network and gain access to patient data.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.